Write a threat detection rule that leverages New Terms rule type to identify an illicit consent grant phishing attempt. The New Terms values would be azure.auditlogs.properties.tenantId and ideally be azure.auditlogs.properties.additional_details.AppId. The additional_details, at the moment would be a flattened field type so we can write queries on values in these dynamic fields.
{
"Level": 4,
"callerIpAddress": "8.8.8.8",
"category": "AuditLogs",
"correlationId": "sanitized",
"durationMs": 0,
"operationName": "Consent to application",
"operationVersion": "1.0",
"properties": {
"activityDateTime": "2025-03-22T15:49:51.6685434+00:00",
"activityDisplayName": "Consent to application",
"additionalDetails": [
{ "key": "User-Agent", "value": "EvoSTS" },
{ "key": "AppId", "value": "sanitized" }
],
"category": "ApplicationManagement",
"correlationId": "sanitized",
"id": "sanitized",
"identity": "",
"initiatedBy": {
"user": {
"displayName": null,
"id": "sanitized",
"ipAddress": "sanitized",
"roles": [],
"userPrincipalName": "sanitized"
}
},
"loggedByService": "Core Directory",
"operationName": "Consent to application",
"operationType": "Assign",
"result": "success",
"resultDescription": "",
"resultReason": "",
"resultType": "",
"targetResources": [
{
"administrativeUnits": [],
"displayName": "suspiciousApp",
"id": "sanitized",
"modifiedProperties": [
{
"displayName": "ConsentContext.IsAdminConsent",
"newValue": "\"True\"",
"oldValue": null
},
{
"displayName": "ConsentContext.IsAppOnly",
"newValue": "\"False\"",
"oldValue": null
},
{
"displayName": "ConsentContext.OnBehalfOfAll",
"newValue": "\"True\"",
"oldValue": null
},
{
"displayName": "ConsentContext.Tags",
"newValue": "\"WindowsAzureActiveDirectoryIntegratedApp\"",
"oldValue": null
},
{
"displayName": "ConsentAction.Permissions",
"newValue": "\"[[Id: sanitized, ClientId: 7sanitized, PrincipalId: , ResourceId: sanitized, ConsentType: AllPrincipals, Scope: openid profile offline_access User.Read Mail.Read, CreatedDateTime: , LastModifiedDateTime ]] =\u003e [[Id: sanitized, ClientId: sanitized, PrincipalId: , ResourceId: sanitized, ConsentType: AllPrincipals, Scope: openid profile offline_access User.Read Mail.Read, CreatedDateTime: , LastModifiedDateTime ]]; \"",
"oldValue": null
},
{
"displayName": "ConsentAction.Reason",
"newValue": "\"Risky application detected\"",
"oldValue": null
},
{
"displayName": "TargetId.ServicePrincipalNames",
"newValue": "\"sanitized\"",
"oldValue": null
}
],
"type": "ServicePrincipal"
}
],
"tenantGeo": "NA",
"tenantId": "fb83355b-3bfe-4849-a3bc-480c7564e41b",
"userAgent": null
},
"resourceId": "/tenants/fb83355b-3bfe-4849-a3bc-480c7564e41b/providers/Microsoft.aadiam",
"resultSignature": "None",
"tenantId": "fb83355b-3bfe-4849-a3bc-480c7564e41b",
"time": "2025-03-22T15:49:51.6685434Z"
}
Integration Name
Azure Logs [azure]
Dataset Name
azure.auditlogs
Integration Version
1.23.0
Agent Version
9.0.0
OS Version and Architecture
serverless
User Goal
Write a threat detection rule that leverages New Terms rule type to identify an illicit consent grant phishing attempt. The New Terms values would be
azure.auditlogs.properties.tenantIdand ideally beazure.auditlogs.properties.additional_details.AppId. Theadditional_details, at the moment would be a flattened field type so we can write queries on values in these dynamic fields.Existing Features
At the moment,
azure.auditlogs.properties.additional_detailshas the keys and values separated, which does not allow us to properly checkazure.auditlogs.properties.additional_details.AppIdfor new terms where the client ID reported would be checked for first occurrences. These client IDs are also important for tracking malicious registered Entra apps by adversaries.What did you see?
Anything else?
Original Event
{ "Level": 4, "callerIpAddress": "8.8.8.8", "category": "AuditLogs", "correlationId": "sanitized", "durationMs": 0, "operationName": "Consent to application", "operationVersion": "1.0", "properties": { "activityDateTime": "2025-03-22T15:49:51.6685434+00:00", "activityDisplayName": "Consent to application", "additionalDetails": [ { "key": "User-Agent", "value": "EvoSTS" }, { "key": "AppId", "value": "sanitized" } ], "category": "ApplicationManagement", "correlationId": "sanitized", "id": "sanitized", "identity": "", "initiatedBy": { "user": { "displayName": null, "id": "sanitized", "ipAddress": "sanitized", "roles": [], "userPrincipalName": "sanitized" } }, "loggedByService": "Core Directory", "operationName": "Consent to application", "operationType": "Assign", "result": "success", "resultDescription": "", "resultReason": "", "resultType": "", "targetResources": [ { "administrativeUnits": [], "displayName": "suspiciousApp", "id": "sanitized", "modifiedProperties": [ { "displayName": "ConsentContext.IsAdminConsent", "newValue": "\"True\"", "oldValue": null }, { "displayName": "ConsentContext.IsAppOnly", "newValue": "\"False\"", "oldValue": null }, { "displayName": "ConsentContext.OnBehalfOfAll", "newValue": "\"True\"", "oldValue": null }, { "displayName": "ConsentContext.Tags", "newValue": "\"WindowsAzureActiveDirectoryIntegratedApp\"", "oldValue": null }, { "displayName": "ConsentAction.Permissions", "newValue": "\"[[Id: sanitized, ClientId: 7sanitized, PrincipalId: , ResourceId: sanitized, ConsentType: AllPrincipals, Scope: openid profile offline_access User.Read Mail.Read, CreatedDateTime: , LastModifiedDateTime ]] =\u003e [[Id: sanitized, ClientId: sanitized, PrincipalId: , ResourceId: sanitized, ConsentType: AllPrincipals, Scope: openid profile offline_access User.Read Mail.Read, CreatedDateTime: , LastModifiedDateTime ]]; \"", "oldValue": null }, { "displayName": "ConsentAction.Reason", "newValue": "\"Risky application detected\"", "oldValue": null }, { "displayName": "TargetId.ServicePrincipalNames", "newValue": "\"sanitized\"", "oldValue": null } ], "type": "ServicePrincipal" } ], "tenantGeo": "NA", "tenantId": "fb83355b-3bfe-4849-a3bc-480c7564e41b", "userAgent": null }, "resourceId": "/tenants/fb83355b-3bfe-4849-a3bc-480c7564e41b/providers/Microsoft.aadiam", "resultSignature": "None", "tenantId": "fb83355b-3bfe-4849-a3bc-480c7564e41b", "time": "2025-03-22T15:49:51.6685434Z" }